This change breaks two tests in the current suite ("Links, inline style" & "Quotes in attributes") since they both involve putting broken URLs inside links. Changing the test to have URLs prefixed with http:// makes these test pass correctly.
when build html links, pass all URLs though a new filterUrl() method.
implementation of filterUrl(), based on lib_filter
By default, PHP Markdown lets HTML snippets pass through unchanged. This is part of the design of Markdown. Markdown is not designed for dealing with unfiltered user input or a substitute for an XSS filter.
Assuming we add one, I don't think an URL filtering system should be active by default, because it'd break many current use cases (starting with my own website) where the input is trusted with relative links as well as HTML snippets.
My recommendation is to run an external XSS filter on Markdown's output. This way you know that whatever weird bug the parser has you're still safe. Bolting XSS filtering in a parser that does all those other unrelated complicated string manipulations is a recipe for security holes. I believe it's better to keep XSS filtering as a separate step.
On the subject:
also filter image URLs
All good points!
I'm using Markdown with markup and entities disabled, so regular HTML is not preserved. I can certainly understand not wanting to get into having to deal with all the possible transform exploits as security vulnerabilities rather than just plain old bugs.
Worth noting that the patch wont break your current usage - it just breaks some non real-world tests in the suite:
I want to add my interest.
Is this something url_filter_func from issue #85 can be used for?
@markseu The new url_filter_func should allow transforming suspicious URLs into innocuous ones. Feel free to experiment.